Unintended consequences of seemingly innocuous amendments to a CME Group rule regarding order entry into the Globex electronic matching system could impose an extremely difficult burden and increased potential liability on clearing members for direct access clients they authorize. Moreover, while many firms struck by the ransomware WannaCry two weeks ago continued to struggle with recovering corrupted data, the US Department of Homeland Security, the Securities and Exchange Commission and the UK Financial Conduct Authority issued useful guidance to help minimize the potential destructive impact of future malware attacks. As a result, the following matters are covered in this week’s edition of Bridging the Week:

There will be no publication of Bridging the Week on May 29 because of Memorial Day.

Video Version:

Article Version

Briefly:

Innocuous Changes in CME Group Globex Rule Could Inadvertently Increase Potential FCM Liability Bigly: CME Group announced amendments to its rule related to Globex order entry that will affirmatively require all persons that enter orders electronically into Globex (“terminal operators”) to ensure that all mandatory audit trail fields are input accurately in the first instance. Currently, such obligation applies only to some specifically enumerated fields. However, as currently is the case, clearing members that authorize such persons’ access to Globex would be “responsible for the Globex terminal operator’s compliance with this rule” even when such operator is a third-party client. This potentially would make clearing members responsible for the accurate input of all CME Group-required audit trail field information by all their non-affiliated direct access clients, as opposed to some of the information as currently is the case. (Click here to access current CME Group Rule 536.B.1.) CME Group’s revised rule is scheduled to be effective May 31.

Compliance Weeds and My View: Unfortunately, seemingly innocuous amendments to a CME Group rule – 536.B.1 – could impose a Damoclean sword of an extremely difficult burden and increased potential liability over clearing members for direct access clients they authorize. This does not appear to be the intent of the CME Group, but it appears to be a consequence.

Currently, under CME Group Rule 536.B.2, entities certified to access Globex directly must create “an audit trail” of each “message” (e.g., an order) entered into the electronic matching system. (Click here to access the elements of this audit trail.) Clearing members that authorize such access are responsible for “maintaining or causing to be maintained” the electronic audit trail for such systems for five years, although they may delegate such responsibility to clients that are also clearing members or equity member firms. (Click here to access CME Group Rule 536.B.2.)

Rule 536.B.2 goes on to explain that “Each such electronic audit trail must be complete and accurate for every electronic communication such system receives or generates,” and the audit trail must contain all required audit trail fields. However, Rule 536.B.1 solely requires Globex terminal operators to enter accurately in the first instance only certain, but not all mandatory audit trail fields.

CME Group’s rule amendments reflect a desire to harmonize Rules 536.B.1 and 536.B.2 to make clear that it expects terminal operators to enter all required audit trail information accurately in the first instance. This way, when the audit trail information is retained by a direct access client or its clearing member, the information should be correct and meaningful when it is reviewed at a later time for regulatory or other reasons. Conceptually, this makes sense.

However, because of the way the rule is currently constructed and proposed to be amended, clearing members would potentially guarantee such accuracy when they have no effective means to ensure such correctness. This makes no sense.

The version of Rule 536.B.1 in effect today already imposes a very challenging responsibility on clearing members– although CME Group has not applied the rule to date in an unreasonable fashion. The amendments to the rule, however, make a problematic rule worse – although there is no reason to expect anything but a continued reasonable approach by CME Group itself in applying the rule.

Notwithstanding, CME Group should make clear that they do not expect clearing members to guarantee the accuracy of all data in all mandatory audit trail fields entered by terminal operators for which they grant direct access. They could do this by amending Rule 536.B.1 or by clarifying its view in a Market Regulation Advisory Notice – perhaps by cross referencing another CME Group rule – Rule 574. Pursuant to this provision, a clearing member might be held liable for a violation of an exchange's rules by a direct access client it authorizes, but solely if it “has actual or constructive knowledge of [the] violation ...and the clearing member fails to take appropriate action.” (Click here to access CME Group Rule 574 – see last paragraph. Click here to access CME Group MRAN RA1520-5, a logical MRAN to amend). This provision, at least, establishes a standard that can be practically applied.

After Victims Want to Cry Because of Attacks by WannaCry, Worldwide Regulators Issue Helpful Guidance About Ransomware: In response to the May 12 global ransomware attack principally known as WannaCry, the US Department of Homeland Security, the Securities and Exchange Commission and the UK Financial Conduct Authority issued guidance advising persons how to prevent, detect and potentially remediate the specific malware, as well as how to defend against ransomware generally. To guard against future attacks, Homeland Security encouraged all persons to follow specific precautionary measures:

make sure anti-virus software is the current version;

ensure copies of sensitive or proprietary data are routinely prepared and stored on a separate and secure location. Backup copies of sensitive information should not be readily accessible from local networks;

review with caution links contained in emails, and do not open attachments included in emails that are unsolicited or unrecognized;

download software—especially free software—only from known and trusted sites; and

enable automated patches for operating systems and Web browsers

The SEC’s Office of Compliance Inspections and Examinations noted that, during recent examinations of 75 registered broker-dealers, investment advisers and investment companies, it observed that 5 percent of BDs and 26 percent of IAs and funds did not conduct periodic cyber-risk assessments. Moreover 5 percent of BDs and 57 percent of IAs and funds did not conduct penetration tests and vulnerability scans on firm critical systems. OCIE encouraged registrants to review cybersecurity resources it has publicized (click here to access a sample) as well as those made available by the Financial Industry Regulatory Authority (click here to access). (Click here for further background on prior SEC and FINRA assessment of cybersecurity threats to regulated firms in the article “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.)

FCA also provided links to helpful guidance to deal with the specific WannaCry ransomware (click here to access).

Helpful to Getting the Business Done: Last fall, Katten Muchin Rosenman attorneys published a very helpful guide to avoid and deal with ransomware attacks. (Click here to access the September 27, 2016 article “Is Your Business Prepared for the Ransomware Epidemic.”) The guide recommended that, among other precautions, firms should implement ongoing risk analysis, incident response and business continuity planning, regular backups, workforce training, technical safeguards, access controls, and third-party vendor management. Signing up for insurance should also be explored.

However, no matter how excellent are the precautions taken by firms, all employees must exercise common sense. As recommended by Homeland Security, employees must be trained not to open links in unsolicited or unrecognized emails.

The crooks are getting cleverer and cleverer too. Just last week I received a personal email that appeared to be from my best friend from high school (who now lives abroad), suggesting that I would enjoy opening a particular link. When I reviewed my “friend’s” email address, I noticed his name was there, as expected. However, when I looked behind his name, I saw an email address I did not recognize. After I wrote to my friend at a different email address, he confirmed to me that the earlier email was not from him. I knew then it was malware. I promptly deleted it. If this was a firm computer, I would have first alerted our IT team.

These days, what looks like a duck, waddles like a duck, and sounds like a duck, may still not be a duck. We all must be vigilant!

Hedge Fund Icon Settles SEC Insider Trading Allegations: Hedge fund icon Leon Cooperman and his firm, Omega Advisors, a registered investment adviser, agreed to resolve charges by the Securities and Exchange Commission without admitting or denying any allegations that they engaged in insider trading by paying US $5 million and agreeing to the imposition of other sanctions. Last September, the SEC charged that, in 2010, Mr. Cooperman obtained nonpublic information regarding divestiture plans of Atlas Pipeline Partners, L.P. (“APL”), a company in which he owned or controlled a substantial number of shares. Despite providing assurances to the APL executive who provided him the nonpublic information that he could not and would not trade based on it, he in fact so traded, claimed the SEC, and Omega Advisors and he profited. The SEC also charged that, over 40 times, Mr. Cooperman failed to timely report to it, as required, information about the securities of publicly traded companies that he beneficially owned. (Click here for information regarding the SEC’s initial complaint in the article “Hedge Fund Icon Sued by SEC for Alleged Insider Trading” in the September 25, 2016 edition of Bridging the Week.) Among the other sanctions agreed to by the defendants were they must (1) retain an onsite independent compliance consultant through 2022 to access electronic communications and review trading; (2) make monthly certifications that they did not trade on inside information; and (3) outsource their required beneficial ownership filings.

Legal Weeds: Recently, the Commodity Futures Trading Commission commenced and settled two enforcement actions, sounding in the securities concept of insider trading, but relying on its own legal basis – the relatively new provision of law and CFTC rule that prohibits employment of a manipulative or deceptive device or contrivance in connection with futures or swaps trading. (Click here to access Commodity Exchange Act Section 6(c)(1), US Code § 9(1), and here to access CFTC Rule 180.1.)

Most recently, in September 2016, the CFTC brought and settled charges against Jon Ruggles, a former trader for Delta Airlines, for trading accounts in his wife’s name based on his knowledge of trades he anticipated placing for his employer. The CFTC claimed that this constituted trading on illicitly misappropriated information– a type of prohibited insider trading.

To resolve the CFTC’s charges, Mr. Ruggles agreed to pay a fine of US $1.75 million; disgorge all trading profits on a specified schedule over 42 months; and never again trade on a market overseen by the CFTC. (Click here for additional information in the article “Ex-Airline Employee Sued by CFTC for Insider Trading of Futures Based on Misappropriated Information" in the October 2, 2016 edition of Bridging the Week.)

In its first action sounding in insider trading, the CFTC alleged in 2015 that Arya Motazedi, a gasoline trader for an unnamed large, publicly traded corporation, similarly misappropriated trading information of his employer for his own benefit. (Click here for information regarding the CFTC’s enforcement action against Mr. Motazedi in the article “CFTC Brings First Insider Trading-Type Enforcement Action Based on New Anti-Manipulation Authority” in the December 6, 2015 edition of Bridging the Week.)

The CFTC has used its manipulative or deceptive device or contrivance authority in a wide range of enforcement actions stemming from its first use in the JP Morgan “London Whale” episode to subsequent allegations of illegal off-exchange metals transactions, claims of more traditional manipulation of wheat, allegations of spoofing and insider trading. The CFTC has made clear it sees its new authority “as a broad, catch-all provision reaching fraud in all its forms – that is, intentional or reckless conduct that deceives or defrauds market participants” and will use it whenever possible – including for allegations of trading on the basis of material nonpublic information obtained as a result of a breach of a duty of confidentiality, or through fraud or deception. (Click here to access the CFTC’s views on the reach its authority under CFTC Rule 180.1 in the Federal Register adopting release for this provision.)

Broker-Dealer CMBS Traders Charged with Lying to Customers to Increase Firm Profits: The Securities and Exchange Commission charged two former head traders of the Commercial Mortgage-Backed Securities (“CMBS”) desk of Nomura Securities International Inc. with purposely lying to their customers to increase their desks’ profits and their own bonuses. One of the two defendants, Kee Chan, simultaneously agreed to settle his action by paying a fine of US $150,000, disgorging profits and agreeing to be barred from the securities industry with the right to reapply after three years. The second defendant, James Im, determined to contest the SEC’s charged. According to the Commission, from 2010 through 2014, Mr. Chan and Mr. Im, on behalf of Nomura, often bought CMBS from one customer and sold to another. During this time, said the Commission, the defendants intentionally misled and lied to customers regarding the prices Nomura had purchased or sold the CMBS; the bids and offers Nomura made or received on the CMBS; the compensation Nomura would receive for arranging the CMBS transactions; and who owned the security. The SEC said that the defendants often pretended they were negotiating with a third party at a time that Nomura had acquired the security. The defendants allegedly “fabricated entire negotiations and conversations with nonexistent third parties in order to embellish [their] lies,” alleged the SEC. Mr. Chan’s settlement is subject to court approval, while Mr. Im’s case remains pending in a federal court in New York.

More briefly:

Love in the Office Between Unnamed US Attorney and Subordinate Criticized by Department of Justice Inspector General: The Office of Inspector General of the US Department of Justice substantiated allegations referred to it that an unnamed US Attorney, now retired, engaged in a prohibited “intimate personal relationship” with a high level subordinate in the same office – an unnamed Assistant US Attorney. According to OIG, the US Attorney’s misconduct “gave the appearance of partiality, created a difficult work environment, and violated Executive branch-wide standards of conduct, federal ethics regulations and possibly federal regulations.” Additionally, the OIG found that the AUSA “inadvertently” did not report spousal stock trades completely and accurately, as required. The US Attorney retired after the OIG investigation began.

CFTC Creates New FinTech Initiative – A Lab, Not a Sandbox: The Commodity Futures Trading created a new initiative to promote FinTech innovation termed LabCFTC. The objective of the initiative, said the CFTC, was to make the CFTC more accessible to FinTech innovators while at the same time helping the CFTC learn of new technologies. In part the CFTC hopes to “identify and utilize emerging technologies that can enable the CFTC to carry out its mission more effectively and efficiently in the new digital world, “ said Acting Chairman J. Christopher Giancarlo in a speech announcing the new initiative last week (click here to access the full transcript). Other worldwide regulators have adopted similar forums to support FinTech innovators offering new types of products in the financial services industry. (Click here for background in the article “Canadian Securities Regulators Join the Sandbox Movement” in the February 26, 2017 edition of Bridging the Week.)

Shanghai Clearing House CFTC Registration Relief Extended for Six Months: The Commodity Futures Trading Commission’s Division of Clearing and Risk extended for another six months relief previously given, permitting the Shanghai Clearing House to act as a derivatives clearing organization to clear swaps subject to mandatory clearing in China for the proprietary trades of SHCH clearing members that are US persons. The SHCH is authorized to act in this capacity for this additional time without being registered as a DCO with the CFTC. In the interim the CFTC is considering a permanent application for exemption from the SHCH. However, an exemption from registration would only be granted, said the CFTC staff, if it can be demonstrated that “the existing regulatory and oversight regime” in China would permit the SHCH to provide to the CFTC the “full scope” of information it requires under exemptive relief. Staff is also trying to better understand cybersecurity law in China.

FINRA Seeks Comments on Rules Governing Outside Business Activities and Private Securities Transactions: The Financial Industry Regulatory Authority sought comment on its rules regarding outside business activities and private securities transactions by broker-dealer employees. FINRA seeks to determine whether its rules are effectively protecting investors from potentially problematic activities by broker-dealer employees that occur away from the firm without the broker-dealer’s knowledge. Comments will be accepted by FINRA through June 29.

CBOE Futures Exchange Issues Best Practices for Trading Privilege Holders: CBOE Futures Exchange issued “best practices” for trading privilege holders (“TPH”) and market data recipients to follow to avoid potential issues that might arise when interfacing with the exchange’s trading system and market data services. Most importantly, CBOE Futures encourages TPH to contact the Help Desk timely when there are execution discrepancies, execution and/or clearing reports in excess of original order quantity or self-trade bust reports. Block trades must be reported within 10 minutes of trade time while exchange of contract for related position transactions must be reported within 30 minutes of the trade confirmation receipt.

Canadian Self-Regulator Proposes Changes to Customer Protection Regime: The Investment Industry Regulatory Organization of Canada proposed amendments to its dealer member rules to accommodate upcoming changes expected at ICE Clear Canada and the Canadian Derivatives Clearing Corporation to restrict linkages between a dealer member’s futures business and other business lines not subject to the Canadian futures market segregation and porting regime. Among other things, the amendments will set higher customer margin to accommodate the new CCP gross margin model; apply stricter criteria in order to apply offset margin requirements for customer cross-product hedges between securities and futures positions; and eliminate the potential of customer guarantees between securities and futures accounts. Comments will be accepted by IIROC through August 16.

New Names Added to OFAC’s Specially Designated Nationals List: The Office of Financial Assets Control of the US Department of Treasury has added a few names to its specially designated nationals list. This list identifies persons with whom US financial institutions should not conduct business as their assets are blocked.

For further information:

After Victims Want to Cry Because of Attacks by WannaCry, Worldwide Regulators Issue Helpful Guidance About Ransomware:

The information in this article is for informational purposes only and is derived from sources believed to be reliable as of May 20, 2017. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.